Skip to main content
Sumo Logic

Install the Cloud Security Monitoring and Analytics - Palo Alto Networks Firewall App and View the Dashboards

This page provides instructions for installing the Cloud Security Monitoring & Analytics for Palo Alto Networks Firewall App, along with examples of each of the app dashboards.

Install the Sumo Logic App

Now that you have set up collection for PCI for Palo Alto Networks install the Sumo Logic App for PCI for Palo Alto Networksto use the preconfigured searches and dashboards that provide insight into your data.

To install the app:

Locate and install the app you need from the App Catalog. If you want to see a preview of the dashboards included with the app before installing, click Preview Dashboards.

  1. From the App Catalog, search for and select the app. 

  2. Select the version of the service you're using and click Add to Library.

  1. To install the app, complete the following fields.

    1. App Name. You can retain the existing name, or enter a name of your choice for the app.


    2. Data Source. Select either of these options for the data source.


      • Choose Source Category, and select a source category from the list.


      • Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. Example: (_sourceCategory=MyCategory).


    3. Advanced. Select the Location in Library (the default is the Personal folder in the library), or click New Folder to add a new folder.

  2. Click Add to Library.

Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization. 

Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but with a bit of time, you'll see full graphs and maps. 

Dashboards

Palo Alto - Security Analytics - Communication via Critical Ports

Dashboard description: Provides analytics including trending for outbound communications via well known ports. Also provides additional analysis of application communications attempts across the firewall.

Use case: You can use this dashboard to analyze daily traffic patterns in outbound volumes of traffic for the following ports: 21, 22, 23, 53, 123, 137, 138, 389, 445, and 3389. The graph on the left compares the current day’s traffic volumes with the volumes of the same time one, two, and three days ago. The table on the right provides a sortable list of those connections.

Additionally at the top of the dashboard are two table containing analytics on known and unknown applications connections using the ports listed above.

Palo Alto - Security Analytics - Outbound Traffic and Potential Exfiltration Activity

Dashboard description: View outbound traffic analysis including DNS activity for potential indicators of exfiltration activity. 

Use case: You can use this dashboard to review volumes of outbound traffic by host, by application, and timeframe comparisons with last week. Increased and unaccounted for increases in traffic may be the result of unauthorized exfiltration of information. Additional analysis is provided for DNS traffic alone as large amounts of DNS traffic are not part of normal operations.

 

Palo Alto - Security Analytics - Potentially Malicious Activity

Dashboard description: See information about traffic to and from IP addresses called out as potentially malicious by threat intelligence, countries that are on the OFAC (embargoed) list, and potential port scans.

Use case: You can use this dashboard to analyze attempted and successful connections to IP addresses on threat intelligence lists both inboudn and outbound. Additionally you can view connections to geolocation IP addresses associated with countries on the OFAC list (USA embargo list). Finally the bottom panel provides analysis on vertical port scans (one target, scanned on multiple network ports) and horizontal port scans (same port scanned across multiple destinations.)

Palo Alto - Security Monitoring - THREAT Log by Category

Dashboard description: See analytics about the THREAT type logs provided by the firewall. These are the indications of security events detected by the firewall’s defensive measures such as anti-malware, network intrusion detection, and the like.   

Use case: You can use this dashboard to review THREAT events in summary or broken down by category: Command-and-control, Phishing, Malware, Proxy Anonymizers, Newly Registered Domains, Cryptocurrency, Questionable,  and High-Risk.

Palo Alto - Security Monitoring - THREAT Logs by Severity

Dashboard description: See analytics about the THREAT type logs provided by the firewall. These are the indications of security events detected by the firewall’s defensive measures such as anti-malware, network intrusion detection, and the like.   

Use case: You can use this dashboard to review THREAT events broken down by severity, allowing you to focus on the critical events first but also providing events of lesser severity for additional triage and investigation if necessary.

Palo Alto - Security Monitoring - TRAFFIC Log Overview

Dashboard description: See monitoring of allowed and denied traffic over time by volume and host.

Use case: You can use this dashboard to monitor allowed and denied traffic through the firewall. Analysis is provided over time and in lists of top 10 sources, destinations, and hosts.